On February 12, 2009, Microsoft announced a $250,000 USD reward for information. Microsoft's Conficker Worm page has details. Bounties have been successful in the past, e.g. Netsky's author, Sven Jaschen.

Our January 30th post provided a Downadup domain blocklist for the month of February. While the domains no longer need to be blocked, such a list can still be useful to monitor for infected machines within your own network.

Microsoft published Security Advisory (968272) on Tuesday and recommends using the Microsoft Office Isolated Conversion Environment (MOICE) as a workaround. High risk "targets" may want to consider this as standard operating procedure.

I'd show you a screenshot of the options, only I don't have Adobe Reader installed.

I find it a bit confusing how commonplace Adobe Reader has become. For some reason everybody seems to be using it for reading PDF files. Even though there are plenty of free alternatives. And the alternatives are much smaller and faster. And start up in under a minute.

From my point of view, Adobe Reader has become the new IE. For security reasons, avoid it if you can.

Error Check System: As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence.

It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites.

Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic… They're both.

Attempting to view the error prompted for the application to be Allowed. The allowing of Error Check System provided access to the user's Friends to which the application then spammed additional notifications.

What is more interesting to us at the moment is that performing a Google search for the words "Error Check System" will result in numerous links pointing to Rogue Antivirus scams.

You do not want to visit the sites highlighted in red:

The timing of this is almost too much of a coincidence.

The Facebook application didn't do very much other than spread itself… it did however create a newsworthy story. And now people will be searching for that story and will stumble upon fake antivirus sites.

One of 2008's most interesting research cases proved to be the Mebroot rootkit.

Mebroot has been characterized as possessing a "commercial-grade framework" and as being a "malware Operating System". The most notable of its features is the fact that the rootkit replaces the infected computer's Master Boot Record (MBR). Mebroot therefore compromises the computer at a very low level.

The malware has apparently gone through some extensive quality assurance. It rarely ever crashes the systems it infects, even though it runs at the kernel level. It's even been designed to send crash dumps back to its authors, so that they can improve upon their code if required.

Elia Florio of Symantec is another researcher that has analyzed Mebroot in depth. I collaborated with Elia and our efforts produced a paper for the Virus Bulletin: VB2008 conference. I delivered a presentation on the opening day of the conference. You can find our VB2008 post with PowerPoint slides here.

We can now make the paper itself available. Click the link below to download the PDF file.

One of today's samples is a trojan compiled for S60 3rd Edition phones. It's detected as TrojanWorm:SymbOS/Yxe.A.

This is something we don't see very often. There are spy tools and other privacy threats directed at S60 3rd Edition phones, but malware is still mainly an issue on S60 2nd Edition phones.

S60 3rd Edition uses a different binary structure than 2nd Edition, and then all 3rd Edition applications must be signed. What's special about Yxe is that all evidence suggests it uses a valid Symbian Certificate.

With this certificate, the trojan was signed. And being a signed application it gains privileged access.

The source of this trojan is China.

Here you can see the language options, EN and ZH:

Did you also notice the "Sexy View" and "Play Boy"? That should give you a good idea of the Social Engineering that's being utilized.

Our mobile analysts are still working the case. We'll have more for you as it develops.

You may also remember that Microsoft patched MS08-078 around the same time. Multiple versions of Internet Explorer were affected on multiple versions of the Windows OS and exploit code was circulating at the time. Exploit Shield 0.5 was able to proactively protect against those exploits.

Exploit Shield is designed to shield Web browsers between the development of an exploit and the release of the vendor's patch.

If you want or need a reason to test Exploit Shield, consider this month's Microsoft Updates. There were two vulnerabilities in Internet Explorer 7 for Windows XP and Windows Vista that were patched last week…

SQL injection is a type of attack that is growing in popularity — e.g. 1, 2.

It can also be used to steal information, and to show that an attack is possible.

During the last few days a Romanian group has been doing SQL injection attacks on several security vendor's websites and early this morning they hit us. One of our servers used in gathering malware statistics had a page that didn't properly sanitize input and was therefore vulnerable to attack. Fortunately we utilize defense-in-depth strategies so the attack was only partly successful.

Although the attackers were able to read information from the database they couldn't write or manipulate it. And they couldn't access any other data on that server because the SQL user only had access to its own database, which only contains public information that is shown on our statistics pages. So while the attack is something we must learn from and points at things we need to improve, it's not the end of the world.

The malware statistics are something we publish anyway at worldmap.f-secure.com and because of our IT security strategy, the impact was minimal.

First there's MS09-002 which addresses two vulnerabilities in Internet Explorer 7.

And then there is MS09-004 which patches a vulnerability in Microsoft SQL Server.

You can see from the bulletin that exploit code has already been published for the SQL vulnerability.

The Internet Explorer 7 vulnerability allows for Remote Code Execution on Windows XP SP2/3 and Windows Vista. Considering the installed base, and the high Exploitability assessment, expect to see exploits in-the-wild very soon.

We recently read an interesting story from MSNBC's "The Red Tape Chronicles" regarding an emerging Social Networking scam.(There's also video.)

The victim of the scam had his Facebook account hacked. The attacker then targeted his friends by changing the Status message to "BRYAN IS IN URGENT NEED OF HELP!!!". And at least one of his friends fell for it, and wired $1,200 to the hacker.

Discussing this article in our San Jose office, we discovered that one of our employees knew someone that was targeted in the same way. Only, he didn't fall for the scam. We asked for permission to post his chat logs.

"Lisa" is the hacked account. "Bob" is the target.

Here's the conversion:

Bob's skepticism proved to be invaluable. His next action was to contact Lisa so that she could recover her account access.

We know of many Social Networking sites that are targeted by Phishing. This type of scam could occur on any of them. A healthy amount of caution is very helpful if you wish to fully enjoy your Social Networking experience.

A new mobile phone application, Google Latitude, was introduced yesterday. It's an interesting new addition to Google Maps.

According to Google, with Latitude you can:

• See where your friends are and what they are up to • Quickly contact them with SMS, IM, or a phone call • Maintain complete control over your privacy

Err… Complete control? True, only the friends that you add/allow are able to follow your movements and Latitude does have a manual override function. But complete control? Perhaps it would be more accurate to claim that there are strong controls.

Assuming that you remember to use those controls of course.

If you want to maintain complete control over your privacy, you probably won't be installing Latitude.

On the other hand, if you're willing to share some of your personal details, Latitude could prove itself to be a really useful feature.

It's a question that we're frequently asked about and it can be challenging to provide a really good answer…

It's an underground economy, it's big, it's global, and no one organization can really understand the true costs without extensive amounts of research and cooperation. And victims don't always (for quite valid reasons) want to cooperate.

It probably says something that we're not surprised by stuff like this anymore.

And while nine million dollars is definitely a very impressive amount of cash to steal during a single coordinated attack, based on the conversations we've had with banking industry insiders, that's certainly just the smallest tip of the overall iceberg.

Greetings from a snowy Netherlands where a bunch of us are at our annual Species conference, an event for our ISP partners.

Partnering with ISPs to provide Security as a Service has been a core strategy for several years and we now have over 180 partners working with us to secure end-users. In fact, we have more ISP partners in Europe, US and Asia than any other antivirus vendor. This means that we have millions of users around the world running our software who have never heard of F-Secure — and that's fine with us.

At this year's conference we have participants from over 22 different countries and it's been a great event where we've been able to, not only share our views and ideas on what F-Secure and our products will look like in the future; but the partners can share their experiences on everything from customer support and marketing, to implementation of new services.